| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| CVE-2022-22932: Path traversal flaws |
| |
| Severity: Low |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: all versions of Apache Karaf prior to 4.2.15 or 4.3.6 |
| |
| Description: |
| |
| Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial |
| path traversal which allows to break out of expected folder. |
| |
| The risk is low as obr:* commands are not very used and the entry is set by user. |
| |
| This has been fixed in revision: |
| |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf |
| |
| Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 |
| or later as soon as possible, or use correct path. |
| |
| JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326 |
| |
| Credit: This issue was discovered and reported by GHSL team member Jaroslav Lobacevski. |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlhlkACgkQv/LuQsgo |
| Lna91A//YplFoZ+fe1v7oiYzskpGBPNoYJeM8i22vkBQmDEd6PDEXhURI/QFQWTX |
| tBg5segXR+xG/vCE5il6ihPuUBMi+gXxPXOnpmiIFhprNgNjLAUk/q2uhUXhkDNQ |
| L9z0uSmArNxcdaTE3x5M7r0VV/DWRRw61KWqsG3m5zurk/aGP2fYwTQxTqyAB0qr |
| Wuo4wuq4ae2Wf20xqnlc19uCf15EkYxqdCuDRXfp7Iwh0VchUe/wMsJ8gobjfAuH |
| o9r/PsVhFKo9iwTKvWOsbQOC7tpA9qqZBGa2+25sZTvYEFGWu/XrxfXE+5BOOk31 |
| 3z26EMvLOfy70YFfIP4iQRGkK93g8TruW82vf8+LAASjjOVvJsHX0diAY6PAH8sZ |
| qFjfmiTrK7I5DsSsPUphcDMRJWx/fAASdmcE/gCbLdPxCrkVQbv367/1wqUKMEQ7 |
| yQRWjEajTACphFLtjhe02YFvLkoa0M0F2u1bm2BvSNT9VwI8IM/9KqiFpdtP/de0 |
| Mt31S2Od10BFYUSTZ9uKgTzA+aMKw+pcXowQvYSvXj23t9YieMqajW5vKE8LxutW |
| y44hwBpi2Rt0c+SRhpNRv5ot5/yUy6T9MffuAm1qlleeSHLqNMnpzpKfsf9QdXRt |
| CM5KMeF1oyI06c69xjLGrr8vfddR+Z3uAmWU9OW0UqHsC93bezE= |
| =gTgN |
| -----END PGP SIGNATURE----- |